Impact
The Appointment Booking Calendar plugin for WordPress contains a missing authorization flaw in the cpabc_appointments_filter_list function. This allows authenticated users with contributor-level access or higher to retrieve internal booking details, including customer names, email addresses, phone numbers, appointment comments, and other personally identifiable information. The impact is a breach of confidentiality, exposing sensitive user data through a straightforward privilege escalation within the plugin.
Affected Systems
The vulnerability affects the codepeople Appointment Booking Calendar plugin for WordPress versions up to and including 1.4.02. All installations that have not applied a newer release are potentially vulnerable. WordPress sites that rely on this plugin should verify the version in use and determine whether it falls within the affected range. The plugin is commonly installed on small business and scheduling applications that require staff and clients to manage appointments.
Risk and Exploitability
The CVSS score of 4.3 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. Attackers only need to be authenticated as contributors or higher, so the exploitation path is straightforward: log in with an existing contributor account and request appointment data via the plugin’s exposed filter list. The lack of a hard restriction on data exposure means that any authenticated user in the affected role can see all bookings held on the site.
OpenCVE Enrichment